3054042 – computer intrusions

A recent slew of high-profile hacks raised alarms for business leaders in New York state and could bring attention to a data-protection law that took effect at the start of the pandemic last year. New York City’s Law Department said in June that its computer systems were breached and had to be shut down. Officials said they did not believe any data was stolen or damaged, but Mayor Bill de Blasio acknowledged that hacks are a constant risk.

The mayor spoke a day after the chief executive of Colonial Pipeline appeared in front of Congress to explain a May ransomware attack that disrupted the fuel supply for much of the Eastern US. In June, the Metropolitan Transportation Authority admitted its systems were breached by a cyberattack in April. Meat supplier, JBS said it paid $11 million to hackers to resolve a ransomware threat.

The run of attacks comes roughly a year after a state law strengthening cybersecurity requirements for companies in New York took effect. The Stop Hacks and Improve Electronic Data Security (Shield) Act took full effect in March 2020 – although it was overshadowed by the Covid-19 pandemic.

The law tightened potential loopholes around when data breaches and cyber-attacks must be reported to state authorities. Under previous law, data breaches had to be reported only if customer or personal data was acquired by an unauthorized entity. In ransomware attacks, it is not always clear whether consumer data held by the company was acquired by hackers, or simply locked up in exchange for payment – so attacks may not have always been reported. Now companies are legally obligated to report cyberattacks in which consumer data is accessed in any form and could face fines if they do not. The law also requires that companies institute reasonable safeguards to protect consumer data.

If an attorney general investigation into a breach found a company “knowingly or recklessly” violating the Shield Act, “there is absolutely some pretty significant fines that could result in that failure,” said Ryan Blaney, head of the privacy and cybersecurity group at Proskauer Rose.

Although hacks on major corporations get the most attention, small businesses are also often targeted because they often don’t have all the safeguards of a larger organization, making them an easier target. Investing in threat prevention is critical, regardless of a firm’s size.

Source: Crain’s New York Business